A Normative Approach to Preventing Cyberwarfare

The Russian cyber attacks that were meant to skew the 2016 US election toward Donald Trump have raised new concerns about conflicts in cyberspace. How might normative taboos, such as those against chemical and biological weapons, be adapted to the cyber realm?

CAMBRIDGE – A series of episodes in recent years – including Russia’s cyber interventions to skew the United States’ 2016 presidential election toward Donald Trump, the anonymous cyber-attacks that disrupted Ukraine’s electricity system in 2015, and the “Stuxnet” virus that destroyed a thousand Iranian centrifuges – has fueled growing concern about conflict in cyberspace. At last month’s Munich Security Conference, Dutch Foreign Minister Bert Koenders announced the formation of a new non-governmental Global Commission on the Stability of Cyberspace to supplement the UN Group of Governmental Experts (GGE).

The GGE’s reports in 2010, 2013, and 2015 helped to set the negotiating agenda for cybersecurity, and the most recent identified a set of norms that have been endorsed by the UN General Assembly. But, despite this initial success, the GGE has limitations. The participants are technically advisers to the UN Secretary-General rather than fully empowered national negotiators. Although the number of participants has increased from the original 15 to 25, most countries do not have a voice.

But there is a larger question lurking behind the GGE: Can norms really limit state behavior?

To continue reading, please log in or enter your email address.

To continue reading, please log in or register now. After entering your email, you'll have access to two free articles every month. For unlimited access to Project Syndicate, subscribe now.

A gentlemen's agreement in a gentlemen's club does not stop those not in the club nor does it stop club members who have nefarious tendencies. What exactly is the penalty - to kick them out of the club when they are not really bothered about being in the club. Stuxnet is alleged to be a US virus, if so its a bit rich for the US to be pushing for LOAC to cover such actions. The real answer is beefing up cyber security because relaxed standards because a gentleman's agreement is place just leaves the back door open

Technical solutions will probably be easier and more effective than any normative approach. For instance, one could simply control the character of traffic on the internet by denying carriage to any message that did not identify and validate its source via blockchain affixes. Malicious messages could then be easily traced and nets that did not meet those standards could be isolated.

None of this deals with the almost impossible task of identifying the attacker. Without a way to do this the temptation to create a false flag attack is too high. To this day no one knows for sure who insisted stuxnet or whether it was really Russia who hacked the DNC.

Without being so impolite as to question the author's bona-fides on these subjects, I'll cut straight to the proposed fix.

A taboo not on /weapons/, but rather on /targets/. This thinking never made sense for the shunned weapons of the material age, of course. What makes it different for cyber weapons?

Lets break cyber down into 3 categories
(1) espionage, such as accessing information that is meant to be secured against one's access
(2) causing shutdowns or sabotage, as DDOS against an internet system, causing a shutdown of an information systems, industrial process, energy utility, etc.
(3) information-enabled social attacks, as in manipulating public opinion, etc

1 and 3 fall into the realm of covert intelligence operations. The existing norm is that they're traditionally exempt from any norms. One gets away with as much as one's relative position of power allows. This is horrendous - #3 especially has led to support of all sort of generally despicable regime-change situations, but that's the present and recent past for you.

As far as we make analogies about taboos against WMD's, we are primarily talking about #2 -- using "cyber" methods to shut down and sabotage infrastructure systems to which we are not supposed to have access, per the access control policies of the infrastructure system's owners.

Sounds like a good idea to me. Much of the article conflates this with the other categories, which prevents clear discussion.

I think that distinction will also help the logic here.
Thus under this particular categorization, Nye appears to be grouping cyber with conventional, in spite of the text of this article which tries to make analogies with unconventional.

'Over time, the development of an informal norm of non-use of nuclear weapons changed this.' Is Nye kidding? There was no such norm, formal or informal as the Cuban Missile crisis proved. During the Bangladesh War, the US sent a signal to Delhi that they contemplated 'nuking Calcutta'. But India was under the Soviet nuclear umbrella and so the threat was not credible.

Since there are is no normative aspect to nuclear strategy, why pretend something of the sort might obtain w.r.t cyber warfare? The problem has been talked about since the late Seventies. It is known that 'civilian' targets- e.g. power grids- have to be disabled one way or another in the event of hostilities. Cyber warfare might be a more humanitarian way to achieve this.
What is the point of content-free articles like this? Is it to draw our attention to the waste of money represented by the UN?

Thank you for making a specific proposal in cyber field. True, a rigid normative frame may not deter culprits altogether. Yet it may raise the cost of violating the norms.
This kind of proposals sounds dull and technical, but they often work.
Thank you once again, Joseph.

New Comment

Pin comment to this paragraph

After posting your comment, you’ll have a ten-minute window to make any edits. Please note that we moderate comments to ensure the conversation remains topically relevant. We appreciate well-informed comments and welcome your criticism and insight. Please be civil and avoid name-calling and ad hominem remarks.

Log in/Register

Please log in or register to continue. Registration is free and requires only your email address.

Log in

Register

Emailrequired

PasswordrequiredRemember me?

Please enter your email address and click on the reset-password button. If your email exists in our system, we'll send you an email with a link to reset your password. Please note that the link will expire twenty-four hours after the email is sent. If you can't find this email, please check your spam folder.